fix(security): eliminate XSS vulnerabilities in mobile.html and swarm_live.html

Replace all innerHTML string interpolation with safe DOM methods
(createElement, textContent, appendChild) to prevent script injection
from user chat messages and WebSocket agent data.

Fixes: XSS-01, XSS-02

src/dashboard/templates/mobile.html

@@ -193,12 +193,17 @@ async function sendMobileMessage(event) {
             chat.scrollTop = chat.scrollHeight;
         }
     } catch (e) {
-        chat.innerHTML += `
-            <div class="chat-message timmy">
-                <div class="chat-meta">Timmy</div>
-                <div style="color: var(--danger);">Sorry, I couldn't process that. Try again?</div>
-            </div>
-        `;
+        const errDiv = document.createElement('div');
+        errDiv.className = 'chat-message timmy';
+        const errMeta = document.createElement('div');
+        errMeta.className = 'chat-meta';
+        errMeta.textContent = 'Timmy';
+        const errText = document.createElement('div');
+        errText.style.color = 'var(--danger)';
+        errText.textContent = 'Sorry, I could not process that. Try again?';
+        errDiv.appendChild(errMeta);
+        errDiv.appendChild(errText);
+        chat.appendChild(errDiv);
         chat.scrollTop = chat.scrollHeight;
     }
 }